LastPass has released a new tool to show you which of your supposedly secure online accounts are at risk of being compromised, as the Heartbleed fallout continues with numerous major sites admitting to being hit by the devastating bug.

Heartbleed: http://heartbleed.com/ is the recently disclosed programming flaw in OpenSSL: http://www.openssl.org/ that would allow attackers to read the contents of a server's memory, exposing critical information such as SSL site keys, usernames and passwords, and user data.

LastPass shows your bleeding hearts

Not content with letting users check Heartbleed-affected sites one by one with its individual site-checking tool, the LastPass password manager now has an automated solution for its users: https://lastpass.com/heartbleed/If you're using LastPass in your browser, just tap on the LastPass icon and go to Tools > Security Check.

This will redirect you to the LastPass website, where the service will scan your password vault and come up with a list of sites affected by Heartbleed. The list will also tell you how old your password is, when the site last updated its security certificates, and whether you should change your password.

I'm a longtime LastPass user. When I ran the security check against my own vault, it showed a number of accounts that needed to have their password changed. While helpful, the LastPass tool wasn't perfect, however. It advised me to wait before changing my Tumblr password, for example, even though Tumblr publicly advised users to change their passwords before the new LastPass security check was publicly available.

Nevertheless, as a quick way to head off potential problems, the LastPass integrated tool is a great place to start a Heartbleed self-audit.

Heartbleed highlights

A number of major sites have recently admitted they were affected by Heartbleed and issued fixes for their services, including:

McAfee’s Heartbleed Test tool has been posted and enables users to test sites for the presence of this vulnerability.

———-

A recent vulnerability in OpenSSL is causing quite a stir. Documented as CVE-2014-0160, this vulnerability has a significant impact on the perceived security of a number servers across the globe.

One of the keys to this vulnerability is SSL heartbeats, which are used to keep messages alive without the need to renegotiate the SSL session. Heartbeat messages can be sent without authenticating with the server.

The exploit

Taking advantage of this vulnerability, attackers can dump up to 64KB of memory near the memory allocated for the SSL heartbeat packet on an infected machine. The attackers won’t know what information they might gather but because the attack can be repeated many times, they can retrieve many 64KB chunks. The memory chunks could contain sensitive information such as passwords, session IDs, private keys, or any other type of data left in memory on the affected server.

One of the factors that makes this such a critical vulnerability is there are no files to detect. It’s completely network borne, and leaves no trace that a system has been attacked. For this reason, network tools are the primary means for mitigating this type of attack.

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM), and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names, and passwords of the users and the actual content. This in turn may allow attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Only products that use OpenSSL Versions 1.0.1a through 1.0.1f are vulnerable. This bug was introduced in OpenSSL in December 2011 and has been in the wild since OpenSSL 1.0.1 appeared, on March, 14, 2012. OpenSSL Version 1.0.1g, released on April 7, fixes the bug.

CVE-2014-0160

The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle heartbeat extension packets. This error allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, also known as the Heartbleed bug.http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

Here is the general consensus about what is vulnerable and what is not. We’ll update this list as more information appears.

Vulnerable: • The full list of clients in not yet known • Android • Browsers on Linux platforms could be vulnerable • Third-party code using Python/Ruby/Perl OpenSSL libs may be vulnerable • Windows programs linked against vulnerable versions of OpenSSL may be vulnerable • OpenVPN • Many vendors are currently evaluating their position • Applications using OpenSSL 1.0.1

The Metasploit module for CVE-2014-0160 (openssl_heartbleed.rb) is in use. Settings allow for the tweaking of TLS Versions 1.0 to 1.2 as well as ports, connection timeouts, and more.

Recommendations • Customers must upgrade to OpenSSL version 1.0.1g or install a version of OpenSSL configured with -DOPENSSL_NO_HEARTBEATS • Customers should be aware that server certificates that are or were protecting data could have been leaked. Attackers with compromised server certificates can perform a man-in-the-middle-attack • Ensure that Internet browsers are set to check for revoked certificates • Any self-signed certs should be regenerated using an updated version of OpenSSL, as previous certs could be compromised